What Changed
Cisco Umbrella Function App connector (v3.0.8 → v3.0.9) patches critical CSV parsing failures that caused complete ingestion stoppage.
Security Impact (Visibility & Fidelity)
Complete ingestion failure: Deployments running v3.0.8 and earlier experienced total data loss when encountering oversized CSV fields or null characters in Cisco Umbrella logs. Per PR discussion: “Ingestion fails for large CSV fields during parsing. Ingestion stops completely when this occurs.”
Data source blind spot: When the CSV parser encountered a single oversized field (>128KB default limit) or embedded null bytes, the entire ingestion pipeline stalled. No subsequent Cisco Umbrella events were processed until manual intervention.
Affected log types: All 12 CSV parsers (proxy, DNS, DLP, IP, file events) were vulnerable to the same parsing failure modes.
Technical Fixes
- Module-level CSV field limit: Moved csv.field_size_limit(1024 * 1024) to prevent redundant calls across all parsers
- Null byte sanitization: Consolidated null character stripping in unpack_file() to prevent _csv.Error
- Error recovery: Added csv.Error exception handling to log failures and continue processing remaining files
- Ingestion continuity: Parser errors no longer terminate the entire ingestion batch
Deployment Priority
Immediate update recommended for all Cisco Umbrella deployments. Version displays correctly as 3.0.9 (previously showed 1.0.0 in Azure UI).
Affected Files
Solutions/CiscoUmbrella/Data Connectors/ciscoUmbrellaDataConn/__init__.py
(packaging artefacts: 3.0.9.zip, CiscoUmbrellaConn.zip, ReleaseNotes.md, Solution_CiscoUmbrella.json, createUiDefinition.json, mainTemplate.json)